{"id":11739,"date":"2025-06-23T21:02:07","date_gmt":"2025-06-23T21:02:07","guid":{"rendered":"https:\/\/usaontheweb.com\/clone1\/wordpress-motors-theme-flaw-mass-exploited-to-hijack-admin-accounts\/"},"modified":"2025-06-23T21:02:07","modified_gmt":"2025-06-23T21:02:07","slug":"wordpress-motors-theme-flaw-mass-exploited-to-hijack-admin-accounts","status":"publish","type":"post","link":"https:\/\/usaontheweb.com\/clone1\/wordpress-motors-theme-flaw-mass-exploited-to-hijack-admin-accounts\/","title":{"rendered":"WordPress Motors theme flaw mass-exploited to hijack admin accounts"},"content":{"rendered":"

WordPress <\/p>\n

\n

\"Wordpress<\/p>\n

Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme “Motors” to hijack administrator accounts and gain complete control of a targeted site.<\/p>\n

The malicious activity was spotted by Wordfence, which had warned last month about the severity of the flaw, tracked under CVE-2025-4322, urging users to upgrade immediately.<\/p>\n

Motors, developed by StylemixThemes, is a WordPress theme popular among automotive-related websites. It has 22,460 sales on the EnvatoMarket and is backed by an active community of users.<\/p>\n

The privilege escalation vulnerability was discovered on May 2, 2025, and first reported by Wordfence on May 19, impacting all versions before and including 5.6.67.<\/p>\n

The flaw arises from an improper user identity validation during password updating, allowing unauthenticated attackers to change administrator passwords at will.<\/p>\n

StylemixThemes released Motors version 5.6.68, which addresses CVE-2025-4322, on May 14, 2025, but many users failed to apply the update by Wordfence’s disclosure and got exposed to elevated exploitation risk.<\/p>\n

As Wordfence confirms in a new writeup, the attacks began on May 20, only a day after they publicly disclosed the details. Wide-scale attacks were observed by June 7, 2025, with Wordfence reporting blocking 23,100 attempts against its customers.<\/p>\n

\n
\"Wordpress
Daily attack volumes<\/strong>
Source: Wordfence<\/em><\/figcaption><\/figure>\n<\/div>\n

WordPress Attack process and signs of breach<\/h2>\n

The vulnerability is in the Motors theme’s “Login Register” widget, including password recovery functionality.<\/p>\n

The attacker first locates the URL where this widget is placed by probing \/login-register, \/account, \/reset-password, \/signin, etc., with specially crafted POST requests until they get a hit.<\/p>\n

The request contains invalid UTF-8 characters in a malicious ‘hash_check’ value, causing the hash comparison in the password reset logic to succeed incorrectly.<\/p>\n

The POST body contains a ‘stm_new_password’ value that resets the user password, targeting user IDs that typically correspond to administrator users.<\/p>\n

\n
\"Wordpress
Example requests from the attacks<\/strong>
Source: Wordfence<\/em><\/figcaption><\/figure>\n<\/div>\n

Attacker-set passwords observed in the attacks so far include:\u00a0<\/p>\n

    \n
  • Testtest123!@#<\/li>\n
  • rzkkd$SP3znjrn<\/li>\n
  • Kurd@Kurd12123<\/li>\n
  • owm9cpXHAZTk<\/li>\n
  • db250WJUNEiG<\/li>\n<\/ul>\n

    Once access is gained, the attackers log into the WordPress dashboard as administrators and create new admin accounts for persistence.<\/p>\n

    The sudden appearance of such accounts combined with existing administrators being locked out (passwords no longer working) are signs of CVE-2025-4322 exploitation.<\/p>\n

    Wordfence has also listed several IP addresses that launch these attacks in the report, which WordPress site owners are recommended to put on their block list.<\/p>\n

    \n

    \n \"Wordpress\n <\/p>\n

    \n

    WordPress Why IT teams are ditching manual patch management<\/h2>\n

    Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.<\/p>\n

    In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.<\/p>\n<\/p><\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

    WordPress Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme “Motors” to hijack administrator accounts and gain<\/p>\n","protected":false},"author":7282,"featured_media":11740,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1166],"tags":[],"class_list":["post-11739","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-website"],"_links":{"self":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/11739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/users\/7282"}],"replies":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/comments?post=11739"}],"version-history":[{"count":0,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/11739\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media\/11740"}],"wp:attachment":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media?parent=11739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/categories?post=11739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/tags?post=11739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}